From d1e7e49a9de2c46922cc4d86770051263398d29d Mon Sep 17 00:00:00 2001
From: hobbescodes <87732294+hobbescodes@users.noreply.github.com>
Date: Tue, 16 Jun 2026 11:28:13 -0400
Subject: [PATCH] chore(authz): adopt typed Warden relation contract from
 providers

Make the lib/authz checkPermission wrapper generic over the resource type so
permission is constrained to the relations Warden defines for it, matching the
new @omnidotdev/providers signature. All existing call sites already use valid
relations, so this adds type safety with no behavior change. Bumps providers to
the build that ships the contract.
---
 bun.lock               | 4 ++--
 package.json           | 2 +-
 src/lib/authz/index.ts | 8 +++++---
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/bun.lock b/bun.lock
index f99fcd4..3e16cc1 100644
--- a/bun.lock
+++ b/bun.lock
@@ -14,7 +14,7 @@
         "@graphile/pg-aggregates": "^0.2.0-rc.1",
         "@graphile/simplify-inflection": "^8.0.0-rc.2",
         "@graphql-yoga/plugin-disable-introspection": "^2.19.0",
-        "@omnidotdev/providers": "github:omnidotdev/providers#ddc7829",
+        "@omnidotdev/providers": "github:omnidotdev/providers#1d1c21d",
         "@omnidotdev/search": "github:omnidotdev/search",
         "@opentelemetry/api": "^1.9.0",
         "@opentelemetry/auto-instrumentations-node": "^0.68.0",
@@ -265,7 +265,7 @@
 
     "@npmcli/redact": ["@npmcli/redact@4.0.0", "", {}, "sha512-gOBg5YHMfZy+TfHArfVogwgfBeQnKbbGo3pSUyK/gSI0AVu+pEiDVcKlQb0D8Mg1LNRZILZ6XG8I5dJ4KuAd9Q=="],
 
-    "@omnidotdev/providers": ["@omnidotdev/providers@github:omnidotdev/providers#ddc7829", { "dependencies": { "ajv": "^8.18.0", "jose": "^6.1.3" }, "peerDependencies": { "@aws-sdk/client-s3": ">=3.0.0", "@aws-sdk/s3-request-presigner": ">=3.0.0", "@envelop/types": ">=5.0.0", "@escape.tech/graphql-armor": ">=3.0.0", "@iggy.rs/sdk": ">=1.0.0", "@tanstack/query-core": ">=5.0.0", "ajv": ">=8.0.0", "graphile-export": ">=1.0.0-rc.0", "postgraphile": ">=5.0.0-rc.0", "react": ">=19.0.0", "resend": ">=4.0.0", "unleash-client": ">=6.0.0" }, "optionalPeers": ["@aws-sdk/client-s3", "@aws-sdk/s3-request-presigner", "@envelop/types", "@escape.tech/graphql-armor", "@iggy.rs/sdk", "@tanstack/query-core", "ajv", "graphile-export", "postgraphile", "react", "resend", "unleash-client"] }, "omnidotdev-providers-ddc7829", "sha512-WfAqi9pT7vnpUSl+almoxe8jQDjOSTsfbFx4UYXDplfdfnFfBcWzQ6/446byMUSMFIgCbm7LhVv5h/ktayulIg=="],
+    "@omnidotdev/providers": ["@omnidotdev/providers@github:omnidotdev/providers#1d1c21d", { "dependencies": { "ajv": "^8.18.0", "jose": "^6.1.3" }, "peerDependencies": { "@aws-sdk/client-s3": ">=3.0.0", "@aws-sdk/s3-request-presigner": ">=3.0.0", "@envelop/types": ">=5.0.0", "@escape.tech/graphql-armor": ">=3.0.0", "@iggy.rs/sdk": ">=1.0.0", "@tanstack/query-core": ">=5.0.0", "ajv": ">=8.0.0", "graphile-export": ">=1.0.0-rc.0", "postgraphile": ">=5.0.0-rc.0", "react": ">=19.0.0", "unleash-client": ">=6.0.0" }, "optionalPeers": ["@aws-sdk/client-s3", "@aws-sdk/s3-request-presigner", "@envelop/types", "@escape.tech/graphql-armor", "@iggy.rs/sdk", "@tanstack/query-core", "ajv", "graphile-export", "postgraphile", "react", "unleash-client"] }, "omnidotdev-providers-1d1c21d", "sha512-pOAphUoMvMblUH/STnqm3QYjgs/6j4GSaC36iTpLDt9oLFKoh1vAKkHuB5eYBgdADab7zy3n2qWKTRJ7An1WpA=="],
 
     "@omnidotdev/search": ["@omnidotdev/search@github:omnidotdev/search#02bb5c1", { "dependencies": { "meilisearch": "^0.48.0" } }, "omnidotdev-search-02bb5c1", "sha512-1jp7JTCsDy8Ac0qG2kLVK6J/2HDraJhsNVObkBsS/Lobt222cU15uao93PSNpgzOZ014kmI5Gfu/GpcQq8vjuw=="],
 
diff --git a/package.json b/package.json
index f684941..65b9171 100644
--- a/package.json
+++ b/package.json
@@ -41,7 +41,7 @@
     "@graphile/pg-aggregates": "^0.2.0-rc.1",
     "@graphile/simplify-inflection": "^8.0.0-rc.2",
     "@graphql-yoga/plugin-disable-introspection": "^2.19.0",
-    "@omnidotdev/providers": "github:omnidotdev/providers#ddc7829",
+    "@omnidotdev/providers": "github:omnidotdev/providers#1d1c21d",
     "@omnidotdev/search": "github:omnidotdev/search",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/auto-instrumentations-node": "^0.68.0",
diff --git a/src/lib/authz/index.ts b/src/lib/authz/index.ts
index 63a366b..55234b1 100644
--- a/src/lib/authz/index.ts
+++ b/src/lib/authz/index.ts
@@ -12,6 +12,8 @@ import type {
   PermissionCheck,
   PermissionCheckResult,
   TupleSyncResult,
+  WardenRelation,
+  WardenResourceType,
 } from "@omnidotdev/providers";
 
 /** @knipignore Used by scripts */
@@ -40,11 +42,11 @@ export function isTransactionalSyncMode(): boolean {
  *
  * @param accessToken - JWT access token (kept for API compatibility, auth handled by provider config)
  */
-export async function checkPermission(
+export async function checkPermission<T extends WardenResourceType>(
   userId: string,
-  resourceType: string,
+  resourceType: T,
   resourceId: string,
-  permission: string,
+  permission: WardenRelation<T>,
   _accessToken: string,
   requestCache?: Map<string, boolean>,
 ): Promise<boolean> {